iOS Trojan Targets Hong Kong Protestors

First time accepted submitter Kexel writes Security researchers have claimed to discover the first Apple iOS Trojan attack in a move to thwart the communications of pro-democracy Hong Kong activists. From the article: "The malicious software, known as Xsser, is capable of stealing text messages, photos, call logs, passwords and other data from Apple mobile devices, researchers with Lacoon Mobile Security said on Tuesday. They uncovered the spyware while investigating similar malware for Google Inc's Android operating system last week that also targeted Hong Kong protesters. Anonymous attackers spread the Android spyware via WhatsApp, sending malicious links to download the program, according to Lacoon. It is unclear how iOS devices get infected with Xsser, which is not disguised as an app."

How is this complicated?

[i kan reed]

1. You grab your protestor-beating-nightstick.
2. You walk down to the phone distributor's HQ
3. You say: "You know that software update system you built for your phones? Let us borrow it for a while"
4. If you run into any problems, gesture vaguely at the nightstick from step 1.

Problem solved.

Re:

[i kan reed]

Great firewall, etc. It's almost certainly the case that Apple operating in China is contingent on their software distrobution channels going through some layer of official interference.

I don't know the details because
A. I'm not Chinese
B. The Chinese government isn't big on letting the technical details of their great firewall go public

Re:

[Austerity Empowers]

Or just say you can't sell your phones in our country with 3 billion people willing to sell kidneys for it w/o this software installed...

Re:

[Muad'Dave]

And you think the Chinese government is incapable or unwilling to forge a certificate or two and act as a MITM as the data traverses their great firewall?

Advanced? Requires a Jailbreak & manual instal

[mTor]

Here's the actual analysis of malware:

https://www.lacoon.com/lacoon-... [lacoon.com]

The iOS device needs to be jailbroken in order to be infected. Then with Cydia installed, the repository would be need to be added and then the package could be installed. All thatâ(TM)s known is that both the iOS and Android attacks share a CnC server.

Re:Advanced? Requires a Jailbreak & manual ins

[Noah Haders]

+1000 relevant. when any iOS malware is reported, the first question is, "does it require jailbreaking". To my knowledge all of the trojan/spyware/NSAware/etc require a jailbroken iphone.

Re:Advanced? Requires a Jailbreak & manual ins

[Noah Haders]

oh by the way, the exploit to jailbreak ios7 was developed by a previously-unknown Chinese haX0r group. Just putting that out there.

Re:

[mTor]

jailbreak ios7 was developed by a previously-unknown Chinese haX0r group

Code for Pangu jailbreak was stolen from a well-known iOS hacker and security researcher i0n1c/Stefan Esser:

https://twitter.com/i0n1c/stat... [twitter.com]

Re:

[BasilBrush]

Stefen Esser.
And the trojan is called Xsser?
Connection?

Re:

[Swave An deBwoner]

http://arstechnica.com/security/2014/06/surprise-ios-7-1-jailbreak-for-most-iphones-and-ipads-uses-year-old-flaw/?comments=1 [arstechnica.com]

jdale Ars Scholae Palatinae

Quote:
FTR: if pangu team releases a public jailbreak with vulnerabilities disclosed to them during my training I consider this in no way okay.

...

So finally after 1.75 years of being known to me, having tought it to 50-70 students a "friend" takes the bug and sells a jb based on it.

I'm not even an iOS user, but in my opinion if he discovered an exploit and

Re:

[robmv]

Until someone use one of those remote vulnerabilities that were used previously to jailbreak phones for malware (I remember one that did the jailbreak with just visiting a web page). We are talking about China here, so if this is some kind of government sponsored attack, they probably already have unreported security bugs at their disposal. It is true that iPhone security has being enhanced with every release, but at the same time code size has increased, so It must be something in ther to do more damage w

Re:

[Noah Haders]

I think that one was a vulnerability in iOS 4.1. Since then there have been a variety of tethered and untethered jailbreaks. All have required directly interacting with the physical device, and all these holes have been plugged up quickly once the vulnerability is released.

Re:

[Rich0]

+1000 relevant. when any iOS malware is reported, the first question is, "does it require jailbreaking". To my knowledge all of the trojan/spyware/NSAware/etc require a jailbroken iphone.

That's great, but seriously, who doesn't jailbreak their iphone? The security of the walled garden is fairly theoretical since there is so much incentive to disable it.

It is a bit like saying that some website can't steal your personal info unless you click through that warning that shows up the first time you use Firefox on a webpage with a non-SSL form.

Re:Advanced? Requires a Jailbreak & manual ins

[Wrath0fb0b]

Perhaps stories like this will make clear what the costs of disabling code signing really are, to be weighed against the incentive to disable it ...

Not much need to jailbreak IOS

[Dr. Evil]

I'm considering jailbreaking my iPhone to be able to run git. Otherwise... I just haven't had the need.

Android's a different story. You need to root your phone so that you can firewall your flashlight app.

Re:

[Rennt]

Wouldn't it be simpler to just pick a flashlight app that doesn't ask for access to gps and network access?

Re:Advanced? Requires a Jailbreak & manual ins

[Noah Haders]

well, considering that over 50% of all iOS devices are running iOS 8, and no jailbreak exists for this OS, i think there are a lot of people who hasnt jailbroken their phones. anecdotally, I don't know anybody that has done this. oh wait I know one guy but he was a bit of a wanker.

Re:

[tlhIngan]

That's great, but seriously, who doesn't jailbreak their iphone? The security of the walled garden is fairly theoretical since there is so much incentive to disable it.

It is a bit like saying that some website can't steal your personal info unless you click through that warning that shows up the first time you use Firefox on a webpage with a non-SSL form.

Generally the number of jailbroken iOS devices has hovered around 10%.

Not too many people do jailbreak because iOS is pretty much good enough, and each rev

Re:

[mgemmons]

You ignored the second part of the requirement: The malware requires a jailbroken phone AND THEN it requires you to _install the malware_.

In other news, if you disable your computer's anti-virus software and install a virus you will...have a virus. Shocking, I know.

Re:

[AmiMoJo]

GCHQ claims to be able to access any iPhone, jailbroken or not. It stands to reason that it is possible, since clearly the jailbreak exploit itself is cable of exploiting a non-jailbroken phone. Other malware could discover and use the same weaknesses.

Remember when you could jailbreak just by visiting a website?

Re:

[Noah Haders]

yes that was for ipad2 and iphone4. the diff between apple and goog is that less than 10% of ios devices are using anything before ios7, and less than 2% using anything before ios6. meanwhile, the vast majority of goog users are stuck on old OS before 4.0 cuz they're no longer supported.

Re:

[NoNonAlphaCharsHere]

sudo apt-get install malware

Easy-peasy.

Re:

[ernst_mulder]

Beware that many jailbreakers also install SSH on their devices. SSH comes with a default password "alpine" for the two users present on an iOS device (root and mobile). Both of them obviously need to be changed.

If a jailbreaker forgets to change both default passwords SSH access is wide open and malware can easily be installed from outside.

Re:

[Tanlis]

It affects jailbroken iPhones.

As usual the clip of text Slashdot uses doesn't bother to mention that.

Re:

[neoritter]

As usual some ass hat doesn't read the article before commenting.

The article itself doesn't mention the jail break portion. How do you expect the poster to?

Re:

[Tanlis]

My apologies, thought I saw it in the article, but must of misremembered that I read it from a different article.

I blame Reuters for not doing a better investigation.

Re:

[Plumpaquatsch]

As usual some ass hat doesn't read the article before commenting.

The article itself doesn't mention the jail break portion. How do you expect the poster to?

This is Slashdot, most don't even bother reading the summary, let alone the article to the part where the real info is hidden.

Re:

[Plumpaquatsch]

How is it FUD that protesters in Hong Kong are being targeted for malware? You might not have to worry about it with a no jailbreak phone, but you probably also don't have to worry about it if you aren't in Hong Kong protesting the Chinese Government hand selecting candidates for the elections.

Feel free to go back to sticking your head in the sand and not worrying about the troubles of people around the globe as long as things are rosy in your neighborhood.

And somehow you think the protestors are not to worry about the (older) Android Trojan that shares the same C&C servers. Which for some reason seem to be located in South Korea?

iOS Attack Vector?

[Ronin Developer]

The Android attack vector is pretty clear. Oddly, they don't know how it spreads to iOS devices. If it's not spread as an malicious, sandboxed app, then how does it get on an iPhone?

How about:
a) Phone was jailbroken.
b) Phone had a modified iOS installed.
c) Some vulnerability exists in one of the built in apps that allows malicious software to be installed outside of the confines of the sandbox.

Given it's happening in China during the protests and with a large iOS device blackmarket, I'm betting on (b) followed by (a) with a very slight chance of (c) and that this malware won't be seen in the rest of world anytime soon.

Re:

[carlhaagen]

Jailbroken iOS, is the vector and requirement.

Re:

[Ronin Developer]

Yes, read the analysis offered in another poster's comments.

So, the question begging to be asked is whether jailbreaking phones in China by the owner is a common occurrence or if the phones are sold "pre-jailbroken" by a larger agency and able to download and install these hacks at will?

Re:

[Noah Haders]

So, the question begging to be asked is whether jailbreaking phones in China by the owner is a common occurrence or if the phones are sold "pre-jailbroken" by a larger agency and able to download and install these hacks at will?

ooh, that's a good question! are all iphones jailbroken by the time they hit the apple store? If you install a new OS version, will that overwrite the covert jailbreaking or is the jailbreaking embedded so deep that you can't get around it? I don't know the answers to these questions.

Re:iOS Attack Vector?

[tlhIngan]

So, the question begging to be asked is whether jailbreaking phones in China by the owner is a common occurrence or if the phones are sold "pre-jailbroken" by a larger agency and able to download and install these hacks at will?

Probably a mix of both, because the #1 reason to jailbreak these days seems to be... pirating software. I mean, the iOS 7.12 jailbreak was done by a bunch of Chinese people to promote... their Chinese app store. Which happens to conveniently be filled with pirated apps. (It was one of the things that led to the original iOS7 exploit to be questioned).

So effectively the users jailbreak to get "free apps" from the Chinese app store that also happens to install malware along with it.

I'm guessing the Chinese store must have a lot of pirated apps, because piracy on iOS is just at a lower level - at least on Android there are entire "daily packs" that contain new and freshly updated paid apps on your favorite torrent site (which can be RSS fed to your torrent client). iOS apps ... not so much. Maybe a fraction and not as convenient to get.

Re:

[chuckugly]

I just want to thank you for not using "begs the question" incorrectly here.

Re:

[BasilBrush]

Phones are sold with the latest OS version. Jailbreaks take months to come out for a particular OS version, if they come out at all.

For example there is no iOS 8 jailbreak. So no iPhone 6 or any iOS device running iOS 8 is jailbroken.

I can believe that a good proportion of pre-owned phones come with a jailbreak. But not new phones, even if they are grey market or intercepted by corrupt governments.

Re:

[stevez67]

If you are one of the mobile phone developers who think the security of mobile phone operating systems is in any way acceptable and you jailbreak your device to make it more secure, you will have blood on your hands. FTFY

Attention Slashdot Editors

[rabtech]

Is this a story about iOS malware? Then you should require the answer to this question:

1. DOES IT REQUIRE JAILBREAK?

The only *interesting* iOS malware story is one that does not require jailbreak. I'm not aware of any; there may be some that use known or unknown exploits, but in this case the malware requires the user to have a jailbroken phone. That's not news or "stuff that matters".

Sincerely,
Slashdot Readers

Re:

[Anonymous Coward]

If it's jail broken it's no longer an iOS device.

Re:

[AK Marc]

It's not spreading on iOS devices. It's spreading on non-iOS devices that were sold with iOS. There's a difference.

Re:

[AK Marc]

iOS is a trademarked name for a specific (signed and secure) OS. The jailbroken version is no longer iOS.

By your logic, if I download the source code of Linux, and purposefully put a security flaw in it, I can then install it on my machine then go to the media and complain how "Linux" is insecure and flawed.

Nope, the jailbroken fork of iOS is most certainly not iOS.

Re:

[AK Marc]

The only security flaw in iOS is not sufficiently blocking jailbreakers.

Your argument is that it's the locks fault if the homeowner unlocks his door, removes the lock from the door, uses it to prop open the door, and gets robbed.

Re:

[Plumpaquatsch]

Targeting and suppression of people using a tech device isn't news that matters? Seriously go fuck yourself and stop speaking for everyone on slashdot like you're our representative.

So pointing out that to suppress people they would have to jailbreak their iPhones is useless information that just aids in the suppression, but not even mentioning the existence of Android apps related to the Trojan is utterly okay.

Re:

[blueg3]

It doesn't just require a jailbreak. It also requires the user to install the software.

Wow, that was quick.

[baudilus]

Sounds to me like that had this ready to go, even before the protests. I'd imagine that the percentage of jailbroken iOS devices in China markedly outstrips those in the western world, given the political climate and sandboxed internet there. It seems that the government was both aware of the devices and had the gun cocked and ready to fire.

Re:

[LordWabbit2]

I imagine most first world governments have a cyber division by now, who are quietly searching for exploits, and when one is found it's put into a database for future use, and not reported to whoever made the software. I'll but when shellshock was discovered by external security researchers there was a collective "Aaah Damn It!" from the NSA.

It is called IOS 8.0.1

[www.sorehands.com]

IOS 8.0.1 will disrupt cellular communications on an iPhone without the need to root the phone.

It's not a bug, it is a feature.

Because...

[koan]

Apple designs them this way, so that nation states can access therm, they get favored status for this.

The otherr option for you fanbois is that Apple is simply incompetent.

xsser

[koan]

https://www.lacoon.com/lacoon-... [lacoon.com]

"Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity."

A total non-story then ..

[lippydude]

'Security researchers have claimed to discover the first Apple iOS Trojan attack .. It is unclear how iOS devices get infected with Xsser, which is not disguised as an app."'